CVE-2023-20185

A vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches in ACI mode could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic. This vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches. An attacker with an on-path position between the ACI sites could exploit this vulnerability by intercepting intersite encrypted traffic and using cryptanalytic techniques to break the encryption. A successful exploit could allow the attacker to read or modify the traffic that is transmitted between the sites. Cisco has not released and will not release software updates that address this vulnerability.

Weakness

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Affected Software

Name	Vendor	Start Version	End Version
Nx-os	Cisco	14.0(1h) (including)	14.0(1h) (including)
Nx-os	Cisco	14.0(2c) (including)	14.0(2c) (including)
Nx-os	Cisco	14.0(3c) (including)	14.0(3c) (including)
Nx-os	Cisco	14.0(3d) (including)	14.0(3d) (including)
Nx-os	Cisco	14.1(1i) (including)	14.1(1i) (including)
Nx-os	Cisco	14.1(1j) (including)	14.1(1j) (including)
Nx-os	Cisco	14.1(1k) (including)	14.1(1k) (including)
Nx-os	Cisco	14.1(1l) (including)	14.1(1l) (including)
Nx-os	Cisco	14.1(2g) (including)	14.1(2g) (including)
Nx-os	Cisco	14.1(2m) (including)	14.1(2m) (including)
Nx-os	Cisco	14.1(2o) (including)	14.1(2o) (including)
Nx-os	Cisco	14.1(2s) (including)	14.1(2s) (including)
Nx-os	Cisco	14.1(2u) (including)	14.1(2u) (including)
Nx-os	Cisco	14.1(2w) (including)	14.1(2w) (including)
Nx-os	Cisco	14.1(2x) (including)	14.1(2x) (including)
Nx-os	Cisco	14.2(1i) (including)	14.2(1i) (including)
Nx-os	Cisco	14.2(1j) (including)	14.2(1j) (including)
Nx-os	Cisco	14.2(1l) (including)	14.2(1l) (including)
Nx-os	Cisco	14.2(2e) (including)	14.2(2e) (including)
Nx-os	Cisco	14.2(2f) (including)	14.2(2f) (including)
Nx-os	Cisco	14.2(2g) (including)	14.2(2g) (including)
Nx-os	Cisco	14.2(3j) (including)	14.2(3j) (including)
Nx-os	Cisco	14.2(3l) (including)	14.2(3l) (including)
Nx-os	Cisco	14.2(3n) (including)	14.2(3n) (including)
Nx-os	Cisco	14.2(3q) (including)	14.2(3q) (including)
Nx-os	Cisco	14.2(4i) (including)	14.2(4i) (including)
Nx-os	Cisco	14.2(4k) (including)	14.2(4k) (including)
Nx-os	Cisco	14.2(4o) (including)	14.2(4o) (including)
Nx-os	Cisco	14.2(4p) (including)	14.2(4p) (including)
Nx-os	Cisco	14.2(5k) (including)	14.2(5k) (including)
Nx-os	Cisco	14.2(5l) (including)	14.2(5l) (including)
Nx-os	Cisco	14.2(5n) (including)	14.2(5n) (including)
Nx-os	Cisco	14.2(6d) (including)	14.2(6d) (including)
Nx-os	Cisco	14.2(6g) (including)	14.2(6g) (including)
Nx-os	Cisco	14.2(6h) (including)	14.2(6h) (including)
Nx-os	Cisco	14.2(6l) (including)	14.2(6l) (including)
Nx-os	Cisco	14.2(6o) (including)	14.2(6o) (including)
Nx-os	Cisco	14.2(7f) (including)	14.2(7f) (including)
Nx-os	Cisco	14.2(7l) (including)	14.2(7l) (including)
Nx-os	Cisco	14.2(7q) (including)	14.2(7q) (including)
Nx-os	Cisco	14.2(7r) (including)	14.2(7r) (including)
Nx-os	Cisco	14.2(7s) (including)	14.2(7s) (including)
Nx-os	Cisco	14.2(7t) (including)	14.2(7t) (including)
Nx-os	Cisco	14.2(7u) (including)	14.2(7u) (including)
Nx-os	Cisco	14.2(7v) (including)	14.2(7v) (including)
Nx-os	Cisco	14.2(7w) (including)	14.2(7w) (including)
Nx-os	Cisco	15.0(1k) (including)	15.0(1k) (including)
Nx-os	Cisco	15.0(1l) (including)	15.0(1l) (including)
Nx-os	Cisco	15.0(2e) (including)	15.0(2e) (including)
Nx-os	Cisco	15.0(2h) (including)	15.0(2h) (including)
Nx-os	Cisco	15.1(1h) (including)	15.1(1h) (including)
Nx-os	Cisco	15.1(2e) (including)	15.1(2e) (including)
Nx-os	Cisco	15.1(3e) (including)	15.1(3e) (including)
Nx-os	Cisco	15.1(4c) (including)	15.1(4c) (including)
Nx-os	Cisco	15.2(1g) (including)	15.2(1g) (including)
Nx-os	Cisco	15.2(2e) (including)	15.2(2e) (including)
Nx-os	Cisco	15.2(2f) (including)	15.2(2f) (including)
Nx-os	Cisco	15.2(2g) (including)	15.2(2g) (including)
Nx-os	Cisco	15.2(2h) (including)	15.2(2h) (including)
Nx-os	Cisco	15.2(3e) (including)	15.2(3e) (including)
Nx-os	Cisco	15.2(3f) (including)	15.2(3f) (including)
Nx-os	Cisco	15.2(3g) (including)	15.2(3g) (including)
Nx-os	Cisco	15.2(4d) (including)	15.2(4d) (including)
Nx-os	Cisco	15.2(4e) (including)	15.2(4e) (including)
Nx-os	Cisco	15.2(4f) (including)	15.2(4f) (including)
Nx-os	Cisco	15.2(5c) (including)	15.2(5c) (including)
Nx-os	Cisco	15.2(5d) (including)	15.2(5d) (including)
Nx-os	Cisco	15.2(5e) (including)	15.2(5e) (including)
Nx-os	Cisco	15.2(6e) (including)	15.2(6e) (including)
Nx-os	Cisco	15.2(6g) (including)	15.2(6g) (including)
Nx-os	Cisco	15.2(7f) (including)	15.2(7f) (including)
Nx-os	Cisco	15.2(7g) (including)	15.2(7g) (including)
Nx-os	Cisco	15.2(8d) (including)	15.2(8d) (including)
Nx-os	Cisco	16.0(1g) (including)	16.0(1g) (including)
Nx-os	Cisco	16.0(1j) (including)	16.0(1j) (including)
Nx-os	Cisco	16.0(2h) (including)	16.0(2h) (including)

Potential Mitigations

Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds.
In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.
Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a “random enough” number.

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-20185
CWE	https://cwe.mitre.org/data/definitions/330.html

Use of Insufficiently Random Values

Weakness

Affected Software

Potential Mitigations

References

CVE-2023-20185

Use of Insufficiently Random Values

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References